The password is much maligned these days – and some, like the State of South Carolina, have 12 million dollars worth of sad reasons to know why.
Although passwords typically aren’t the only variable in system compromises, they usually are one major weight-bearing card in a house of cards.
If a hacker pulls that card, bad things happen.
Consider South Carolina, which reported last week that a state employee’s password was stolen earlier this year by a hacker who eventually exposed the records of 3.8 million individuals and 700,000 business tax filers over the past 14 years.
Eventually, that single password was leveraged to steal other passwords, including passwords for all Windows user accounts. The hacker hop-scotched among web servers, file servers, remote access servers, payment systems and databases, a total of more than 45 servers, using additional passwords they stole along the way.
But the most eye-popping number is that the state will have to pay $12 million in identity protection services to those taxpayers whose data were compromised.
How are better protections built to stop or limit such a calamity: policies, procedures, employee education and better technology decisions.
There is a brewing industry revolution in authentication and authorization – both cloud and on-premises based - that South Carolina and others should not ignored. It includes technology such as OAuth, OpenID Connect, SCIM, social and mobile; it is evident in massive identity initiatives in the U.S., the U.K. and other countries around the world; and it mixes in major cloud providers and vendors including Ping and others plying the wiring and glue of identity infrastructure and ID management.
The goal is to remove the weak-link password and protect assets via a network of user attributes, trusted providers and federations.
In the South Carolina disaster, the fuse was lit by an e-mail loaded with malicious code that likely included a simple keylogger. The e-mail was opened by one of a handful of employees who received it and their password was soon compromised and used to fuel a two-month-long, behind-the-scenes hack that was finally revealed by an independent network audit.
The hack also included the theft in 3.6 million social security numbers and 387,000 credit and debit card numbers. The personally identifiable information of 1.9 million dependents was also breached and 80% of the state’s residents were affected.
South Carolina learned a hard lesson. State officials said multiple passwords were not required to get into sensitive data and tax information was not encrypted. But the state doesn’t seem to fully understand the issue.
Gov. Nikki Haley said at a press conference, “What we can do is put so many layers in this process that it is awfully hard to get into (the systems).”
Of course, what that will do is make the system near unusable for the people who really need to use it and add another step or two for hackers to repeat the breach.
What employees need is education on email, email attachments and the dangers that lurk within. And the state likely needs better password management policies and to review procedures for protecting sensitive data.
But ultimately, the state must shake its hold on the aging notion that security should be designed to keep bad people out and instead adopt the belief that security is about vetting then letting the good people in.
That’s where advancements in authentication and authorization can help not only with protecting resources but auditing and compliance.
Building more walls only means hackers will come prepared with more tricks to go over or around them.